With the deadline less than a year away, the project to ensure Expolink is compliant with the EU’s new General Data Protection Regulations (GDPR) is well under way.

As you will likely know, GDPR introduces many new rights for individuals wanting more access to their data and new requirements on businesses to ensure that any personal data is only processed and stored where absolutely necessary.

We have put together a team dedicated to ensuring that we are GDPR compliant for May 2018 and this guide outlines how we intend to address the key requirements brought about by GDPR.

Safeguarding your speak up data is important to us.

Discover how we protect it.

Company Obligations

As Data Processors, Expolink will have its own requirements under GDPR but we will also have more obligations to the Data Controller than ever before.

Our process review not only considered what we are required to do, but also how we can help our Clients, in their roles as Data Controllers, to meet their obligations.

Data Mapping

In order to ascertain how we will be affected by GDPR’s provisions, we first reviewed all of the personal data that we hold.

A Data Mapping exercise was conducted, and a guide produced on how we would set about completing this task. We then contracted a data privacy consultant to complete a GDPR Gap Analysis, the outcome of which was very positive overall.

We identified some areas which require further consideration but remain confident that this activity will be completed shortly. Once completed, this template will be reviewed annually, or when a new process is implemented which requires the processing of personal data.

As well as identifying our legitimacy for holding such data, Data Mapping will also aid us in creating templates for Subject Access Requests (SARs) and Data Protection Impact Assessments (DPIA).

Privacy Policies

One “easy win” identified by the Gap Analysis was to review our Privacy Policies across the sites to reflect the new transparency requirements of the GDPR.

Call Handler Script

GDPR is all about transparency; allowing the data subject to know not only what data is being collected, but where it’s going and how long it will be there.

To ensure our callers are as informed as they can be, we are adding to our “call handler script” to brief the caller on their “data journey” and insure they are fully informed about how Expolink handle their report, and their data. It’s a small change, but will be a big help in ensuring GDPR compliance.

Data Processing Agreements

A large part of our process requires us to process data on our client’s behalf and, for international companies, transfer that data out of the country so Data Processing Agreements are an essential part of our business practice.

GDPR requires certain prescribed stipulations to be included but also outlines other topics which have to be addressed in the course of the agreement.

We are currently reviewing our data processing agreements to assist our Clients in fulfilling their new due diligence duties as controllers under GDPR. This, coupled with our ISO accreditation, aim to provide peace of mind to Clients that their employees’ data is sufficiently protected.

Subject Access Requests and Data Portability

Data Portability is another new right afforded to data subjects under the Regulation.

We will be developing a full procedure for dealing with subject access requests and developing template response forms to ensure that we can meet the one-month response deadline set out under GDPR.

Personal Data is only retained by Expolink at the request of the subject and retained for four weeks from last contact. This information is held separately and, as such, is easily identified and isolated.

Should the data subject make a SAR to the controller after this period only the headline data of the report will be held by Expolink and no personal data information will be held.

Data Protection Impact Assessments (DPIA)

As part of our ISO27001 certification Expolink already maintains a Risk Register and assesses all new processes and procedures to ensure potential risks are identified and mitigated.

When combined with the Data Mapping exercise which is underway, most of the requirements of Article 35(7) have already been identified and addressed so we do not envisage that the GDPR’s DPIA requirement will significantly impact our current processes.

Breach Notification and Management

Whilst all the above is in place to ensure a breach does not happen, it is still important for Expolink to have a clear Data Breach Notification Policy.

In light of the new 72 hour notification requirement a review of our current procedure is required to ensure that our process is as efficient as possible to help Controllers meet this timescale. As we do already have a policy in place, this is likely to be another area which can be a “quick win” in our compliance journey.

Over the next few months, it is our intention to produce further updates not only to advise our Clients of our process, but hopefully help them in their endeavours to become GDPR compliant.